Enough with the Insanity 
Dictionary Based Rainbow 
Tables 

Matt Weir 

Florida State University 

Shmoocon 2009 



About Me 



# Name: Matt Weir 

# Occupation: PhD Student at Florida State University 

# Research: Password Cracking Techniques 

# Previous Job: Network Security Engineer, Northrop 
Grumman TASC 



Special Thanks to 



# Professor Sudhir Aggarwal 

# Edson Manners 

# National Institute of Justice 

# Zhu Shuanglei 

# Renderman 



My Research 



# Collect and analyze 
real password lists to 
figure out how people 
create passwords 

# Develop tools and 
techniques attack 
password creation 
strategies 
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Tools and Tables + Blog 



# http://reusablesec.googlepages.com 

# Leave off the www 

# If you have space to host additional tables, please 
talk to me afterwards 



Disclaimer 

# This talk should not exist 

# We've known for over 20 years how to protect 
against hash lookup attacks 

# Just use a strong RANDOM password salt 

# Yet, there's many examples where this is not done 

- Microsoft LanMAN, NTLM, MSCache 

- WPA, WPA2 

- Most websites use MD5, SHA1 , or MYSQL323 
http://reusablesec.qooqlepaqes.com 



Stop Blaming the Users 

# Yes people don't care about security 

# Yes people choose stupid passwords 

# Wishing people used better passwords hasn't 
worked so far 

# All those security memos don't seem to be doing 
that much good either 

# At the very least we need to be using strong 
password hashes 

http://reusablesec.qooqlepaqes.com 



Plan 



# Very briefly discuss password hashes and salts 

# Hash Lookup Tables 

# Rainbow Tables (in general) 

# Dictionary Based Rainbow Tables 

# Questions + Beer 
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Two Types of Password Cracking 

# Online 

- Trying different passwords to log in 

- Can be slow and noisy 

- You may only be allowed a few guesses 

* Offline 

- You grabbed the password hashes 

- You now are only limited by how fast your 
computer is 

http://reusablesec.qooqlepaqes.com 



Password Hashes 

# Step 1) User creates password : "shmoocon" 

# Step 2) Computer Hashes the password 

# MD5("shmoocon") = 
07532c0b1 5a34bccf031 607f53ea6f 1 b 

# Step 3) To log in the user types "shmoocon" 

# Step 4) The computer hashes "shmoocon" and 
compares it against the hash it stored 

http://reusablesec.qooqlepaqes.com 



Password Salts 




r 'fLAJ 




# Salts are a value added to a password 
to make it harder to crack 

# For example, you could add the 
username 



^ - MD5("bob"+"shmoocon") 

- a543bb95c4bcdf 307a943cc801 f dd3d3 

- MD5("tom"+"shmoocon") 

- b947c1 0f00579746df6fc2f3854861 87 

# In real life, use a RANDOM value 



Password Salts (cont.) 



# Important Points 

- Not secret 

- User does not need to know it. 

- Stored on the server 

- Should be unique per user 

- Does not need to change 
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Hash Lookup Tables 

# Most of the time cracking passwords is spent 
generating hashes 

# Why not save that hash info in a database? 



Index Hash Plaintext 




1 


5f4dcc3b5aa765d61d8327deb882cf99 


password 


2 


07532c0b1 5a34bccf031 607f53ea6f1 b 


shmoocon 


3 


cc25c0f861 a83f5efadc6e1 ba9d1 269e 


monkeyl 23 
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Problems With Hash 
Lookup Tables 

* They're Huge!! 

- Example: The Church of Wifi WPA "Rainbow" 
Tables 

- Key Size: 1 billion, 

- (1 million dictionary words x 1 thousand SSIDs) 

- File Size: 33 Gigabytes 

http://reusablesec.qooqlepaqes.com 



Rainbow Tables 



# Layman's Terms: A very efficient compression 
function for hash lookup tables 

# Reduces the size of the hash lookup tables by a 
factor of several thousand 

# It is "lossy". May not save all the possible hash 
values 



http://reusablesec.qooqlepaqes.com 



Three Terms to Know when 
Creating Rainbow Tables 

# Number of Chains 

- RT's store hash information in "chains". The more chains you have, the 
more potential hashes you can store 

# Chain Length 

- The number of hashes stored in each chain 

- Essentially the compression for the RT 

# Index Offset 

- Used to prevent collisions between multiple RTs 



A Quick Note on the 
Index Value 



# Internally the Index Value refers to a number 
between and keyspace max -1 . 

# For example if you are brute-forcing a 6 character 
password of lowercase letters 

# keyspace max = 26 6 = 308,915,776 
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Three Main Functions of 
Rainbow Tables 

# IndexToPlain 

- Converts an Index value to a plaintext value 

- aka2314 = "cat1" 

- Index values range from to max keyspace -1 

# PlainToHash 

- Hashes a plaintext value 

- aka "Cat1" = a980d10665f268b0ec6c13ebea43034f 

# HashTolndex 

- Converts an Hash value to an Index Value 





Creating a Chain 
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First select a 
random Index Value 











Creating a Chain 
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Creating a Chain 

101 






Next run IndexToPlain 

to figure out a plaintext word 











Creating a Chain 

101 — ► CAT1 






Next run IndexToPlain 

to figure out a plaintext word 











Creating a Chain 

101 — ► CAT1 






Next run PlainToHash 
to hash the password 











Creating a Chain 
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CAT1 



0AF12 
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Next run PlainToHash 
to hash the password 



Creating a Chain 



101 — ► CAT1 — ► 0AF12 



Now run HashTolndex 
to get the next Index Value 



Creating a Chain 



101 — ► CAT1 — ► 0AF12 — ► 234 



Now run HashTolndex 
to get the next Index Value 



Creating a Chain 



101 — ► CAT1 — ► 0AF12 — ► 234 — ► HAT4 — ► 132C9 
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Run IndexToPlain then 
PlainToHash 



Creating a Chain 



101 — ► CAT1 — ► 0AF12 — ► 234 — ► HAT4 — ► 132C9 




A245F 



485 



Well You get the Idea 



Saving the Chain 



101 — ► CAT1 — ► 0AF12 — ► 234 — ► HAT4 — ► 132C9 




A245F 



485 



You only save the First and Last 
Index Value for each chain 



Saving the Chain 
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You only save the First and Last 
Index Value for each chain 





Saving the Chain 
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This is used to 
rebuild the chain 
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You only save the First and Last 
Index Value for each chain 





Saving the Chain 
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This is used to 
rebuild the chain 














This is used to check if a 
password is in the chain 
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You only save the First and Last 
Index Value for each chain 





Looking up a Password Hash 

# The HashTolndex function changes depending on 
the position in the chain 

# Take the Hash you are trying to crack, and 
generate a chain from it as if it was at each 
possible position in the chain 



0AF12 — ► 234 

0AF12 — ► 154 — ► HAT4 — ► 132C9 — ► 634 

# If the chain length = 1 000, then you would create 
1000 mini chains for each password hash 



Problems with Rainbow 
Tables 



# Probabilistic in nature: No guarantee that a 
password will be in it 

# Long creation time 

# Two hashes take twice as long to crack as one 

# Collisions result in a lot of wasted work 
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Collisions = Bad 



# While the hash you are cracking may be resistant 
to accidental collisions, the Index Value is not 

# Two, (or more), hashes can generate the same 
index value 

0AF12 — ► 234 
4245C — ► 234 

# This causes chains to merge 

# This also can result in false positives 

- You rebuild chains that don't actually contain the 
password 



Traditional Rainbow Tables 

# The IndexToPlain function creates brute-force 
guesses 

# aka aaaa, aaab, aaac, aaad 

# Very useful, but limited by character selection and 
password length 

# LAN MAN passwords are completely broken by 
this approach 




Rcracki 



# The people at www.freerainbowtables.com created 
Hybrid Rainbow Tables 

# They do a targeted brute force attack 

- Example: Try four letters followed by two numbers 

- aaaaOO, aaabOO, aaacOO, , qrst12 

# This allows you to try and crack much longer 
passwords 



Dictionary Based 
Rainbow Tables 



# Essentially all I did was modify the IndexToPlain 
function to select a dictionary word + mangling rule 

# Not rocket science 

# Made a few other improvements as well 




RAINBOW 

http://reusablesec.qooqlepaqes.com 



About those Other 
Improvements 

# Multi-threaded the rainbow table creator 

# Added faster hashing functions 

# Added support for additional hash types 

- Im ntlm md2 md4 md5 doublemd5 shal ripemd160 mysql323 
mysqlshal ciscopix mscache halflmchall Imchall ntlmchall oracle 

# Now creates/uses config files 

# Plus a few other tweaks and optimizations 



Other Dictionary Based 
Rainbow Table Programs 

# rcrackd from www.freerainbowtables.com 

# Ophcrack's free "Vista" rainbow tables 
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Rules Generator 



**************************************************************** 

* drcrack Config File Generator * 

* (at least until I can come up with a better name) * 

* * 

* version 1,0.0 * 

* Author: Matt Weir * 

* Contact infos weir ;at] cs ;dot] fsu ;dot] edu * 

* special thanks to Florida state university and the National * 

* Institute of Justice for funding this research * 
*********************************************************** 



Please select an option 

(1) Modify the character sets, (a*a special characters -[ L&jF$*&*] ) 

(2) Set word mangling rules, (aka add two numbers to the end) 

(3) save settings 

(4) Load settings 

(5) Quit 

Please choose one of the options 
tenter choice>:| 
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Important Note 



# It is very important to try and minimize rules that 
generate duplicate guesses 

- Try word as is: password 

- Lowercase the word: password 

# Remember, collisions are bad 

# You also need to remove duplicate words from 
your input dictionary 

http://reusablesec.qooqlepaqes.com 



Sample Tables 



# Basic NTLM Tables + Basic MSCache Tables 

# Uses dic-0294 as the input dictionary 

# Key Space: 26,606,966,603 

# Size: 400 Megs 

# Sample rules 

- Add 4 digits to the end 

- Standard letter replacements, add a special 
character and a digit to the end 



Keyboard Combo Table 

# NTLM 1-3 Keyboard Combos, NTLM 4 Keyboard 
Combo 

# Custom dictionary has 658 keyboard combos 

# Combines them to attack strong +15 character 
passwords 

# If you want the user to create a 1 5 character 
password some of them are going to use 
qwertyuiopasdf 

# Problems with collisions 



Double Basic Rule 



# Supports NTLM 

# Creates a password and then doubles it 

# Password 1 2 Password 12 

# Once again, attacking the users 

# Some users just type eight character passwords in 
twice 

http://reusablesec.qooqlepaqes.com 



Passphrases 



# Still working on this one 

# Just use a passphrase input dictionary 

# Example passphrase 

- !!lt's fun to do the impossible! 

# Eventually plan to add support for grammar 
generation 

- Proper-noun + Verbs + a + Noun 



Not Better, Just 
Different 

# Does not replace existing rainbow tables 

# Bruteforce attacks are still wonderful, don't let 
anyone tell you differently 

# With rcracki's hybrid tables you can use targeted 
brute force against fairly long passwords 

# Still for longer passwords, dictionary attacks may 
be the only feasible option 



Questions/Comments 

If I can accomplish a minor jf 

task thousands have Jjtfi 

already completed, iy| ^\Jp w 

available methods W$mmf 4ft 
and tools, then I ■BjjB'i^----. Sf 
can do a ny I h i ng! frfjttPPv -1£|1P 

# E-mail: weir@cs.fsu.edu 
http://reusablesec.qooqlepaqes.com 



